Intel makes security-first pledge

As it scrambles to deal with the Meltdown and Spectre processor exploits, Intel has made a series of security commitments

Intel has said it is committed to publicly identify significant security vulnerabilities and follow rules of responsible disclosure, in order to accelerate the security of the entire industry.

“We also commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks,” said Intel CEO Brian Krzanich in an open letter to technology industry leaders. “We also commit to adding incremental funding for academic and independent research into potential security threats.”

Krzanich added that Intel encourages its industry partners to continue to support these practices.

Timely adoption of software and firmware patches by consumers and system manufacturers is critical, said Krzanich, adding that transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.

Krzanich said Intel has worked closely with its partners around Meltdown and Spectre with the shared goal of restoring confidence in the security of customers’ data as quickly as possible.

“The degree of collaboration across the industry has been remarkable,” he said. “I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration.”

In particular, he thanked the Google Project Zero team for practising responsible disclosure, creating the opportunity for the industry to address these issues in a co-ordinated way.

Project Zero was one of three teams that independently discovered and reported the Meltdown exploit, and one of two teams that independently discovered and reported the Spectre exploit.

As part of Intel’s efforts to restore customer confidence, in addition to ongoing security assurance, Krzanich said he has committed Intel to “customer-first urgency”, and transparent and timely communications to provide frequent progress reports of patch progress, performance data and other information.

“By 15 January, we will have issued updates for at least 90% of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January,” he said. “We will then focus on issuing updates for older products as prioritised by our customers.”

Read more about Spectre and Meltdown

A wide range of security advisers agree that now that the exploits have been made public, it is only a matter of time before cyber attackers try to make use of them, and for this reason, enterprises cannot afford to waste any time applying security updates from suppliers as they become available.

However, the Wall Street Journal reports that Intel is quietly advising some customers to hold off installing patches because some of the patches have bugs of their own.

The glitch underlines the difficulty of Intel’s challenge as it rushes to fix the unprecedented vulnerabilities, say industry commentators.

Following the Wall Street Journal report, Intel issued a statement by Nevin Shenoy, general manager of its datacentre group, confirming that Intel had received reports from “a few customers” of higher system reboots after applying firmware updates.

“Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and datacentre,” he said.

Shenoy said Intel is working with affected customers to understand, diagnose and address the reboot issue. If this requires a revised firmware update, he said Intel would distribute that update through the normal channels.

“End-users should continue to apply updates recommended by their system and operating system providers,” he said.

While the Meltdown exploit largely affects Intel chips, it also impacts some ARM-based products used in smart and embedded devices.

Spectre affects Intel chips as well as most other modern microprocessors, and although AMD initially said there was “near zero risk” to its processors from Spectre because of differences in chip architecture, it has since has admitted that the AMD Ryzen and EPYC chips are affected by both Spectre exploit variants.

Read more on Hackers and cybercrime prevention

Data Center
Data Management